[PATCH v3 12/25] security: Introduce inode_post_setattr hook
Mimi Zohar
zohar at linux.ibm.com
Thu Oct 12 00:08:53 UTC 2023
gOn Mon, 2023-09-04 at 15:34 +0200, Roberto Sassu wrote:
> From: Roberto Sassu <roberto.sassu at huawei.com>
>
> In preparation for moving IMA and EVM to the LSM infrastructure, introduce
> the inode_post_setattr hook.
>
> It is useful for EVM to recalculate the HMAC on modified file attributes
> and other file metadata, after it verified the HMAC of current file
> metadata with the inode_setattr hook.
"useful"?
At inode_setattr hook, EVM verifies the file's existing HMAC value. At
inode_post_setattr, EVM re-calculates the file's HMAC based on the
modified file attributes and other file metadata.
>
> LSMs should use the new hook instead of inode_setattr, when they need to
> know that the operation was done successfully (not known in inode_setattr).
> The new hook cannot return an error and cannot cause the operation to be
> reverted.
Other LSMs could similarly update security xattrs or ...
>
> Signed-off-by: Roberto Sassu <roberto.sassu at huawei.com>
Reviewed-by: Mimi Zohar <zohar at linux.ibm.com>
More information about the Linux-security-module-archive
mailing list